WordPress Security Measures: Practical Steps to Prevent Unauthorized Access and Recovery Methods

Recently, it seems that my WordPress site was hacked, as the message “hello admin system hacked” appeared.

The login username and password were changed without my consent, so I couldn’t log in with my usual credentials. It appears that the user information has been altered. Since the database user wasn’t affected, I decided to operate MySQL via the command line.

mysql -u root -p

Next, I switched to the database used by WordPress.

use wpblog

I then checked the user information in the database used by WordPress.

select ID,user_login from wp_users;

A user that I never created was present, and the legitimate user had been deleted.

So, I decided to change the password for this unauthorized user.

update wp_users set user_pass=md5('testpass') where user_login='test-ekeeke-tea';

With this user information, you should be able to log in to the WordPress admin panel.

Once logged in, I found that the theme had been altered to a tampered version of Twenty Twenty-One, and all plugins had been disabled.

I restored these settings to the original ones to repair the site.

Other Cases

1. Case 1: Unauthorized Access Due to a Massive Brute Force Attack

A Brute Force Attack is a method where hackers repeatedly attempt various combinations until they find the correct password. This type of attack is particularly effective against sites with weak passwords, and many WordPress sites have fallen victim to it.

For example, in 2021, there was a massive wave of brute force attacks. Thousands of WordPress sites worldwide were targeted, with attackers using automated tools to attempt access to administrator accounts.

One of the affected sites had its administrator account’s password cracked through a brute force attack, leading to a complete takeover of the site. The attackers altered the site’s content, embedded malicious links, and injected SEO spam, causing the site to lose credibility.

As countermeasures, it is recommended to use strong passwords, implement two-factor authentication, and use security plugins that can detect and defend against brute force attacks.

2. Case 2: Exploiting Vulnerabilities in a Plugin

While WordPress plugins add convenient features, they also come with security risks. Plugins that are no longer updated or supported by their developers often have vulnerabilities, making them easy targets for attackers.

For instance, in 2020, a critical vulnerability was discovered in the popular File Manager plugin. This vulnerability allowed attackers to send specially crafted requests to gain administrative privileges. In attacks leveraging this vulnerability, the attackers created unauthorized admin accounts, taking control of entire sites.

Administrators of affected sites experienced severe consequences, such as unauthorized changes to site settings and the insertion of malicious code. Even after administrators patched the vulnerability, attackers sometimes re-entered the sites through backdoors they had previously inserted.

To mitigate such risks, it is crucial to keep plugins up to date, uninstall unused plugins, and regularly perform security checks.

3. Case 3: Administrator Account Hijacked Through Phishing

Phishing attacks involve attackers using fake login pages or emails to steal users’ login information. These attacks are more likely to succeed when they mimic sites or services that users frequently visit.

In 2019, a phishing campaign targeted WordPress administrators. Attackers sent fake emails pretending to be from the official WordPress site or hosting providers, directing users to fraudulent login pages. The information entered on these pages was sent to the attackers, who then hijacked the legitimate administrator accounts.

Many administrators lost their accounts without realizing it, leading to numerous cases of unauthorized access to sites. Attackers used the stolen accounts to post spam and insert malicious links.

To prevent such attacks, it is advised not to click on suspicious emails or links, to ensure SSL (https) is enabled when logging in via a browser, and to implement two-factor authentication.

Specific Measures

1. Implementing Multi-Factor Authentication (Two-Factor Authentication)

Explanation: Multi-Factor Authentication (MFA) enhances security by adding an extra verification step to the login process. Typically, in addition to the password, you’ll need to enter an authentication code sent via a smartphone app or SMS. Even if your password is compromised, this additional step serves as a barrier against unauthorized access.

How to Implement: WordPress offers plugins like “Google Authenticator” or “Authy,” which make it easy to implement two-factor authentication. This greatly enhances the security of administrator accounts.

2. Using Security Plugins

Explanation: WordPress has many security plugins that can comprehensively enhance the security of your entire site. These plugins offer various protective features such as defense against brute force attacks, firewall settings, malware scanning, and monitoring login attempts.

Recommended Plugins: “Wordfence” and “Sucuri Security” are well-known plugins. Even their free versions offer basic security features, while the paid versions provide even more advanced protection.

3. Hiding Usernames and Securing the Login Page

Explanation: Many attackers exploit the default “admin” username or publicly available administrator usernames. Therefore, it’s effective to prevent usernames from being exposed and to hide the login page URL by changing it.

How to Implement: Use the “WPS Hide Login” plugin to change the default WordPress login page URL from “/wp-login.php.” Also, to prevent the exposure of usernames, set a nickname in your profile settings and change the displayed author name accordingly.

4. Regular Updates of WordPress and Plugins

Explanation: When security holes or bugs are discovered, developers promptly release fixes. Therefore, keeping WordPress core, plugins, and themes up to date is crucial for maintaining site security. Using outdated versions increases the risk of attackers exploiting known vulnerabilities.

How to Implement: You can easily check and perform updates from the WordPress admin dashboard. Additionally, you can automate updates using the “Easy Updates Manager” plugin.

5. Using Official Themes and Plugins

Explanation: Themes and plugins from untrusted sources often carry security risks, including the possibility of embedded backdoors or malware. Using themes and plugins from the official WordPress repository or reputable developers reduces this risk.

How to Implement: When installing themes or plugins, use the official WordPress directory or purchase them from reliable marketplaces (e.g., ThemeForest, CodeCanyon).

6. Utilizing Security Services

Explanation: If you find it challenging to implement security measures yourself, using a specialized security service is an option. These services manage and monitor your site’s security, and quickly respond to issues if they arise.

Recommended Services: Security services like “Sucuri” or “Cloudflare” provide comprehensive protection for your website, including monitoring and defense against attacks.

Post-Hack Response Measures

1. Checking for Signs of Hacking

Explanation: It is crucial to identify signs of hacking as early as possible. These signs may include:

  • Administrator account changes: Suddenly being unable to log in or discovering that a new administrator account has been created.
  • Content tampering: Unwanted links or ads being added to pages or posts.
  • Site performance issues: The site becomes unusually slow or experiences frequent downtimes.
  • Suspicious files: Unrecognized files or folders appearing on the server.

2. Restricting Access to the Site

Explanation: If signs of hacking are confirmed, the first step is to restrict access to the site to prevent further damage. This involves the following steps:

  • Setting the site to maintenance mode: Use a plugin to temporarily close the site and limit access from the public.
  • Restricting administrator login: Temporarily block logins from IP addresses other than the administrator’s, or change the administrator account password.

3. Removing Suspicious Files and Code

Explanation: The next step is to remove potentially compromised files and suspicious code. Proceed as follows:

  • Identifying suspicious files: Use an FTP client or the server’s file manager to look for unfamiliar or modified files within the theme or plugin folders.
  • Removing malicious code: If malicious code is found in a file, remove the affected portions. Files like functions.php, header.php, and footer.php are often targeted.
  • Restoring files: Consider restoring files from a backup. If a reliable backup is available, use it to restore the entire site to its original state.

4. Changing Passwords and Keys

Explanation: Change all passwords (WordPress login, database, FTP, hosting account) and security keys.

  • Changing the administrator password: Update the administrator account password to a strong one. It is also recommended to change the passwords for other user accounts.
  • Changing database and FTP passwords: Be sure to change the MySQL database user password and the FTP account password.
  • Updating WordPress security keys: Update the authentication security keys in the wp-config.php file to invalidate all sessions. This will force all logged-in sessions to terminate.

5. Rechecking the Site and Strengthening Security

Explanation: Verify that the site is functioning normally and implement security enhancements to prevent recurrence.

  • Installing security plugins: Install the security plugins mentioned above to strengthen site monitoring and protection.
  • Monitoring file changes: Set up a plugin to automatically detect file changes, enabling you to respond quickly to unauthorized modifications.
  • Reviewing logs: Check server logs and WordPress activity logs for signs of attacks or indications of a recurrence.

6. Backups and Regular Maintenance

Explanation: After recovering from a hack, take measures to prevent similar issues from recurring.

  • Regular backups: Create full backups of the site regularly and store them in a secure external location. This ensures quick recovery in the event of another hack. Ideally, regular backups should be taken before any issues occur and then restored as needed.
  • Security checks: Conduct regular security assessments of the site to identify and address vulnerabilities early.

Educational Aspects

1. Training to Improve Security Awareness

Explanation: Regular training is essential to ensure that administrators and users understand and can implement basic security principles. This enhances their sensitivity to security risks and encourages vigilance in day-to-day operations.

Examples:

  • Conducting regular seminars and workshops: Offer opportunities to learn about WordPress security best practices. For example, explain the importance of password management and how to set up two-factor authentication.
  • Offering online courses: Utilize platforms like UDEMY or Coursera to enroll users in security-related online courses.

2. Educating About Phishing Countermeasures

Explanation: Phishing attacks are a method used to trick users into revealing their credentials. It is crucial to educate users on how to identify phishing emails and fake login pages.

Examples:

  • Teaching how to identify phishing emails: Explain how to verify the sender’s email address and the importance of not clicking on suspicious links.
  • Conducting simulation tests: Send test emails that mimic phishing attacks to assess how well users respond. This helps them develop practical skills.

3. Understanding the Importance of Strong Passwords

Explanation: Passwords that are easy to guess are vulnerable to brute force attacks. Educate users on how to create and manage strong passwords.

Examples:

  • Recommending the use of password managers: Tools like LastPass or 1Password make it easier to manage complex and unique passwords. Personally, I use KeePassXC.
  • Teaching how to generate passwords: Explain how to create random strings or long passwords and the importance of regularly changing passwords.

4. Establishing Regular Software Updates as a Habit

Explanation: Software updates often include security patches, and neglecting them increases the risk of known vulnerabilities being exploited. Emphasize the importance of updates and encourage regular implementation.

Examples:

  • Setting up automatic updates: Explain how to enable automatic updates for WordPress and plugins, and guide users on not neglecting manual updates.
  • Creating an update schedule: Develop a regular maintenance schedule to ensure administrators do not forget to perform updates.

5. Promoting Safe Browsing Habits

Explanation: Teaching users basic habits for safe internet use is crucial for reducing security risks.

Examples:

  • Emphasizing the importance of HTTPS: Teach users how to verify that a site is using HTTPS to ensure secure communication.
  • Encouraging the use of trusted sites: Advise users to avoid suspicious sites and unknown links, and explain the importance of obtaining information only from official or trusted sources.

6. Conducting Regular Security Reviews and Audits

Explanation: Regularly checking the site’s security status and developing the habit of early detection and correction of potential vulnerabilities is crucial.

Examples:

  • Conducting security scans: Regularly run site-wide security scans using specialized tools or plugins.
  • Reviewing logs: Regularly check server logs and WordPress activity logs for suspicious activities.

7. Developing an Incident Response Plan

Explanation: It’s important to have a pre-established response plan to quickly and effectively respond if a security incident occurs.

Examples:

  • Creating a contact list: Compile a list of people to contact in the event of an incident, including external security experts.
  • Clarifying response procedures: Document specific steps to take in case of an incident (e.g., temporarily shutting down the site, taking backups, resetting passwords).

Additional Resources and Links

1. Links to Trusted Security Guides and Tutorials

Explanation: Provide links to reliable guides and tutorials for readers who wish to gain a deeper understanding of security. This enables them to research and learn independently.

Examples:

  • WordPress Codex: Hardening WordPress Provide a link to the official WordPress Hardening Guide. This page offers detailed, officially recommended steps for securing a WordPress site.
  • Sucuri’s WordPress Security Guide Sucuri’s comprehensive security guide provides valuable information for both beginners and advanced users. It details specific methods for enhancing site security.

2. Links to Official Documentation for Security Plugins and Tools

Explanation: By providing links to the official documentation of security plugins or tools that readers are using or considering, they can access detailed information about setup and usage.

Examples:

  • Wordfence Official Documentation The Wordfence official help page includes everything needed from installation to setup and troubleshooting.
  • iThemes Security Documentation The official site of iThemes Security offers detailed explanations of the plugin’s features and setup methods. This link helps readers who want to configure it on their own.

3. Links to the Latest Security News and Blogs

Explanation: Security is an ever-evolving field, and staying informed with the latest news is essential. By providing links to trusted security news sites or blogs, readers can stay updated on the latest threats and countermeasures.

Examples:

  • Krebs on Security Krebs on Security is a blog run by cybersecurity journalist Brian Krebs. It provides the latest security news and analysis.
  • The Hacker News The Hacker News is a blog that offers news on the latest hacking techniques and security threats. It’s a valuable resource for readers interested in cybersecurity.

4. Links to Online Forums and Communities

Explanation: Provide links to forums and communities where users can exchange information with others or get help with problem-solving. This allows readers to quickly get support for their questions and issues.

Examples:

  • WordPress Support Forum The official support forum on WordPress.org is where users can post questions about WordPress and get help from other community members.
  • Stack Overflow Stack Overflow is a site for programming questions and answers, with many topics related to WordPress. It’s helpful for finding specific solutions to technical questions.

5. Links to Books or PDF Guides

Explanation: For readers who want to learn more deeply, introduce books or PDF guides on security, and provide links to purchase or download them.

Examples:

  • “WordPress Security Made Easy” (Amazon Link) A book available on Amazon that explains the basics of WordPress security in a way that’s easy for beginners to understand.
  • OWASP’s “Web Security Testing Guide” PDF A comprehensive web security testing guide available for free download from OWASP’s official site.
Please share if you like it!
TOC